Battle lines drawn about government's role in protecting cyberspace

By William Jackson

May 27, 2011

The battle over the government's role in protecting critical infrastructure has begun.

On one side are the Obama administration and some security experts who argue that the government, and specifically the Homeland Security Department, needs to be deeply involved to ensure consistent security in privately-owned critical infrastructure. On the other side are some congressional Republicans and business groups who want government to mostly stay out of controlling private industry.

The White House on May 25 sent a Homeland Security Department official rather than Cybersecurity Coordinator Howard Schmidt to testify before the House Oversight and Government Reform Committee's National Security, Homeland Defense and Foreign Operations Subcommittee, saying Congress has no oversight authority over Schmidt.

Subcommittee Chairman Rep. Jason Chaffetz (R-Utah) chastised the administration for its decision and called for a non-partisan dialog on protecting critical infrastructure.

The status of the cybersecurity coordinator is one of the key differences between a White House legislative proposal recently sent to Capitol Hill and a bill now pending in the Senate that would make the position subject to Senate approval and congressional oversight.

The full House Oversight and Government Reform Committee will hold a hearing June 1 on the White House proposal.

Meanwhile, opinions differ on what role the government would play in securing privately owned critical infrastructure. Sean McGurk, director of the control systems security program in DHS' National Cyber Security Division, described the department’s role as a facilitator, working voluntarily with companies.

McGurk said his program has done 75 security assessments this year for companies that have requested them. “A week does not go by that I don’t have a team in the field working with the private sector,” he said.

James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies (CSIS), argued for more authority for DHS in protecting critical infrastructure. “DHS must be able to mandate risk-based performance,” he said.

Industry wants government to maintain its light touch on cybersecurity regulation. Phillip Bond, president and CEO of the industry organization TechAmerica, said the first rule is that “Congress should do no harm,” and called for a system of incentives and liability protections for companies.

One area in which industry would like to see regulation is in data breach reporting, where companies now are dealing with a patchwork of 47 state laws with differing requirements for notifying consumers when sensitive personal information has been stolen or exposed.

He outlined principles for that type of regulation, which closely follow the requirements in the White House legislative proposal. They include a risk-based standard requiring notification only when a breach presents a significant risk of harm to consumers, federal preemption of state notification laws, and an exemption when personally identifiable information is protected by best practices such as encryption, access controls or redaction.

In addition to the threats of online theft or espionage, government also must deal with the threat of cyberwar. Lewis drew a clear distinction between these threats, defining cyberwar as a malicious action in cyberspace equivalent to the use of conventional weapons.

“We tend to call everything bad that happens in cyberspace an attack, but it is more realistic to say that if there is no damage, death or destruction, it is not an attack,” Lewis said. “We know of only three cyber incidents that rise to this level: The Stuxnet attack, the reported blackout in Brazil, and the interference with air defenses in the Israeli raid on a Syrian nuclear facility. Everything else qualifies as crime or espionage.”

Dean Turner, director of Symantec’s Global Intelligence Network, agreed that Stuxnet, the worm that apparently targeted control systems for equipment in an Iranian nuclear processing facility, constitutes a new type of threat. “Stuxnet was a game changer,” he said.

Lewis said CSIS has identified 36 countries that have developed a military doctrine for cyber conflict and that it is reasonable to assume that they possess offensive capabilities. “Cyber attack will be like the airplane – within a few years, no self-respecting military will be without this capability,” he said.

But DHS, which has primary responsibility for protecting civilian IT systems in the .gov domain, does not distinguish between attacks from nation states and those conducted by criminals or other organizations. McGurk said the focus is on identifying and mitigating risk, and that attribution is difficult and unnecessary. “The source isn’t important,” he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

OPM is partnering with CSID to try to manage the fallout from a massive breach of some 4 million federal personnel records.

Reader comments

Tue, May 31, 2011

Gotta love it. Private industry says "butt out, government. We'll take the risk, in order to (hopefully) make more profits without spending all that money on security." But... give us "liability protections for companies".
Yeah, give us a break -- they'll play Russian Roulette with critical infrastructure, and the tax payer will bail them out when it goes "pop".

Tue, May 31, 2011

How does gov't get involved without also capturing all data for intrusive monitoring at will?

Tue, May 31, 2011
Glenn Schlarman
Annandale, VA

The schizophrenia continues.
On the one hand, for federal agencies we get command and control. DHS gets great power because apparently the agencies' knowledge of their own systems, business needs and self-interests cannot possibly result in adequate security. And only DHS working with NSA can solve the problem.
But, what does our current command and control security performance look like? DOD it would seem has the most likely ability to enforce command and control on itself, yet it also has the most compromised systems in government. So the answer is let's do more of that?
One the other hand, despite the fear of a calamity putting entire sectors of our nation's critical infrastructure at risk, DHS will work voluntarily with industry to facilitate what exactly? Sounds like we're down to just two choices -- a kill switch or nothing.
If voluntary facilitation will work for the nation's most critical industry sectors, is command and control for all federal agencies really necessary? Or are we only doing it because we can?
Can we please get some professional counseling or at least adult supervision?

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.